IY2840 Coursework 2:
Application and Web Security
Deadline: 10:00 am, 26 Mar 2021
This is a blind submission, and submissions must be made in a ZIP compressed file on
Moodle. This compressed file should include the coursework report and necessary source-code
files. The report must be in file PDF format, other formats such as: .docx or .pages are not
accepted. This coursework counts for 20% of your grade on this module and is worth 100
marks in total. We expect a good submission to be succinct and be less than six pages in
length. Learning outcomes assessed are:
• Understanding of UNIX/Linux and applications security.
• Understanding of how to exploit vulnerabilities and steps involved in their exploitation.
• Understanding of network packets and how to capture and investigate them.
• Understanding the fundamentals of network and Web attacks.
• Understanding the countermeasures and mitigation of these vulnerabilities and attacks.
IMPORTANT:
• SEED Unbuntu 16.04 virtual machine (https://seedsecuritylabs.org/lab_env.html)
should be used to develop and test some solutions for this coursework, you can use the
your SEED Ubuntu VM which is already used in the lab.
• Use the source file attachment (coursework2-files.zip) for Question 1 and Question 2.
• Use Wireshark to analyse the .pcap files in the coursework attachment.
• Download the following virtual machine (Web Server, 3.7GB) for Question 3:
– The Web Server VM: https://www.dropbox.com/s/apmwm8sm9g9qrue/ubuntu_web_
server_vm_cw2_2021.ova?dl=0
This VM must be used to test some solutions of Question 1 as it includes a running
Web server required for this question. Therefore, you need to install this VM on your
own machine and along with this VM you need also to use another machine like your
SEED VM used in the lab as an attacker machine. Keep in mind, you dont have access
to the Web server VM, except through the network (browsing port 80). To setup the
environment, follow the setup and configuration environment guidelines section
(see Appendix).
• All answers related to developing a program will be checked on a SEEDLab VM, so it is
important to make sure that your solutions being provided are executable on this platform.
1
This coursework aims to have you reflect on Unix, Application, Network and Web security.
To get started, it is important to review the lecture notes and lab materials, the course text,
but also to investigate online resources. We are not after essays in this coursework. We are
after concise and succinct responses to each question with some proof of implementation (code
snippets and screenshots). Do share useful resources that you find with others on the Moodle
forum, but do not give any answers away. Note: All the work you submit must be
solely your own work and you should make sure the submitted file not corrupted.
Submissions are routinely checked for plagiarism.
Questions
1. Question 1 (Total 30 Marks): Linux and Application Security
(a) An organisation is running a service to welcome its agents by printing a greeting
message along with their name on their terminal screen. The developer in this
organisation has created the C program (vulnerable − prog.c) to implement this
service on the Ubuntu 32bit Linux server and you are asked to compile the program
and manage its permissions in the operating system.
i. Compile the vulnerable − prog.c file using gcc but you have to disable the
smashing stack feature and enable the executable stack feature to be able to
solve the subsequent questions. Then, run the program and provide a terminal
screenshot of the outcome.
ii. The compiled program (file) has to be a root-owned Set-UID program, report
how to accomplish that, you may need to use some file permission Linux
instructions. Display the program file permissions in a terminal screenshot.
(3 marks)
Submit your answer and screenshots in your report.
(b) A cyber security team in the organisation has discovered that the previous program
(vulnerable-prog) is vulnerable to stack-based-buffer-overflow. As a pen-tester, you
have been assigned to perform a penetration test to check if this vulnerability is
exploitable in the system. You need to prepare the payload and exploit which will be
used for spawning shell with the root permission. You have an exploit file (exploit.c)
but this source-code file is incomplete having some missing codes.
i. Fix the exploit.c file by completing the missing parts of this file. Replace “?”
with the appropriate instructions or values to be able to compile and run the
exploit program. Beforehand, you will need to understand the buffer-overflow
exploit program and how the shell code is injected to have such an successful
attack [Hint: you may need to review the stack frame layout]. You may need to
turn off the buffer-overflow countermeasure features while compiling and running
the program (i.e. kernel.randomize va space = 0).
2
ii. Briefly explain and justify the entire program after fixing it and provide the
execution output (a screenshot), you may use code comments for the description
of the program. To get the full mark of this part, the new exploit program must
be executable, so include the amended exploit.c file in the submission.
(17 marks)
Submit your answer and screenshots in your report, along with the updated
exploit.c file
(c) Turn on the countermeasure (i.e. kernel.randomize va space = 2) which is associated
with the space address randomisation and run the exploit program (the amended
exploit.c file) again. Briefly explain the observation and provide a screenshot.
Then, write a shell script to defeat this countermeasure. The shell script should also
include a feature to display the cost of defeating using the metric of either the actual
time (hh:mm:ss) or the number of runs. Briefly explain the scripts and provide a
screenshot for the output. Also, include the shell script in the submission. Note:
In order to answer this part, you should have already solved the previous question,
Question 1b.
(10 marks)
Submit your answer and screenshots in your report, along with the script file
2. Question 2 (Total 30 Marks): Network Security
A security analyst team has the cp1.pcap, cp2.pcap and cp3.pcap files which are network
traffic captures of different network segments. They needs to identify potential attacks in
these files. You are asked to assist them in their task by doing the following:
(a) Examine these pcap files to determine the attacks within these files using
Wireshark; keep in mind, each file has only one attack. Justify your answers
including the description of those identified attacks and some screenshots of parts in
the traffic (the pcap files) which refer to the attacks if necessary.
(15 marks)
Submit your answer and your justification in your report.
(b) It is important for security analysts to understand suspicious activity in pcap files.
This is often done by reproducing attacks. Write a program or shell-script that
reproduces the attack in cp3.pcap [Hint: refer to Lab7 on how to create network
programs] and describe briefly the program in the report. Also, provide the pcap
traffic capture of running your program being developed using WireShark (your pcap
and the provided pcap files are not expected to be identical, as some IP addresses
would be different in your network settings. Note: you are not expected to reproduce
the pcap content line by line, but it has to be the same attack).
(15 marks)
Submit your source-code and your traffic-capture file from running your program.
3
3. Question 3 (Total 40 Marks): Web Security
Figure 1: Environment setup. See the appendix for setup information
A company “IY2840 Co.” owns a website, (http://10.0.2.x/index.html (x here is an
unknown part of the Web server IP address and students are expected to find it), this URL
refers to the virtual machine provided (Ubuntu Web Server VM) that hosts the company
web server, refer to Figure 1 which is utilised for managing the employees records of the
company. In order to access the website resources, you need to have a login credentials.
However, this website is vulnerable to SQL injection (SQLi) and cross-site scripting (XSS)
attacks.
(a) How can an attacker bypass the website login without having access
credentials? Assume there is an ’admin’ user for this system. Justify your
answer showing at least three different patterns of injections and report the output
(screenshots).
(10 marks)
Submit your answer and your justification in your report.
(b) An attacker is often keen on cracking the ’admin’ password in the system, however a
password is usually protected by a hashing function (SHA1 is used in this website).
How can an attacker learn about the stored password for the admin user
in this website?
• Demonstrate the steps to perform this attack including the necessary injected
SQL statements.
• Report the necessary screenshots.
(15 marks)
Submit your answer and screenshots in your report.
[Hints: for this question you should not use any type of available brute force attack
tools for cracking the website login in this system (i.e. hitting the system with many
randomised passwords). However, this question requires you to perform a number
4
of steps to learn about the website database (schema, tables and columns) to reach
and extract the stored password data. Then, you need to recover the actual password
using any online or offline tools.]
(c) Within so many websites, a session cookie approach is still widely used as a means to
maintain a session of an authenticated user. This cookie is normally created once a
user logs on to the website.
Suppose that you have already compromised the admin password from the previous
question. Create an XSS attack to be able to persistently steal the cookies
for the current admin sessions in the websites even if the admin changes
the password and the SQL injection vulnerability is fixed for the website
hereafter. As an attacker, you need to find out the sink where to inject the script
which facilitates obtaining the cookie and how to receive the cookie. Also, you may
need to take advantage of nc command to create a server in the attacker VM (your
own virtual machine) to capture the cookie.
Also, you need to use the following JavaScript/HTML methods to create a workable
script for the attack, however proposing some different alternatives of script methods
is acceptable as long as these scripts are executable:
1) Image().src="link to the image"
2) document.cookie
• Report the steps of the scenario and the stolen cookie.
• Provide all necessary outputs (screenshots and traffic capture) indicating that you
perform a successful attack.
• Can you identify the type of the XSS attack in this context?
(15 marks)
Submit your answer and screenshots in your report, along with a traffic packet capture
file.
SD & JH 12 March 2021
5
Appendix: Setup and config. environment guidelines
In addition to your existing SEED Lab VM, you will for the purposes of this coursework also
need a separate VM to be your Web server.
1. Install VirtualBox: https://www.virtualbox.org/wiki/Downloads. Make sure you are
using the most up-to-date VirtualBox.
Installation Notes for different platforms:
• Mac: you need to allow Oracle apps to be installed in the security and privacy setting.
• Windows: check that your machine has enabled virtualization. This can be done by
entering your bios and enabling virtualization in a setting there. To check whether
you have virtualization enabled or not, we suggest you go to your task manager,
see a screenshot here: https://www.shaileshjha.com/wp-content/uploads/2017/
02/windows_10_task_manager_performance_tab_virtualization_enabled.jpg
• Linux, we expect the problem would be the same as windows.
2. Download the Web server virtual machines.
3. Import the Web Server virtual machine. Follow how to import OVA files here: https:
//www.virtualbox.org/manual/ch01.html#ovf-import-appliance.
4. Click “File” on the top left of the VirtualBox main UI. Then click “Preferences” as shown
in Figure 2.
Figure 2: Preferences
5. Click the “Network” tab on left panel. click the “+” icon to create a new NAT Networks
(NatNetwork) adaptor (if one does not exist). Double click on the NatNetwork, and look
at its configuration. Set the configuration as the same as what is shown in Figure 3.
6. Enable Adapter 1 (and disable the other adapters if any are enabled), then choose “NAT
Network” and then NatwNetwork which is already declared in the previous step.
7. [IMPORTANT] Switch on both VMs. After you have switched on both, they will be given
an IP address each, it will be like 10.0.2.x IP address. You will need to find out what IP
6
Figure 3: Network Configuration
Figure 4: VM Network Adapter (the MAC address can be whatever VirtualBox assigns it.)
address is your Web server VM to in order to browse the website from your SEED Lab
VM. You can either scan your network to do so, or use a number of Linux commands to
find this out.